Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Published: 2026-03-20
Score: 9.3 Critical
EPSS: 5.7% Low
KEV: Yes
Impact: Unauthenticated Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the public flow build endpoint of Langflow allows an attacker to supply arbitrary Python code that is executed without any sandboxing. By posting malicious flow data to the endpoint, an unauthenticated actor can run code on the server with the privileges of the Langflow process, leading to full compromise of the host. The weakness involves unprotected execution of user-supplied code, a classic remote code execution scenario.

Affected Systems

The vulnerability affects the Langflow application from langflow‑ai, specifically any deployment of versions earlier than 1.9.0. Clients that rely on the public flow build feature without enforcing authentication are at risk. Full vendor and product details locate the issue in the open source Langflow repository.

Risk and Exploitability

The CVSS score of 9.3 places the flaw in the high‑to‑critical band, and although the EPSS score is under 1%, the vulnerability is listed in the CISA KEV catalog, indicating known exploitation activity. Attackers can trigger the flaw by sending a crafted HTTP POST request to /api/v1/build_public_tmp/{flow_id}/flow, supplying flow data containing executable code. No authentication or additional conditions are required, making the exploit straightforward for an attacker with network access to the service.

Generated by OpenCVE AI on March 25, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.9.0 or later.
  • If an upgrade is not immediately possible, restrict access to the /api/v1/build_public_tmp/{flow_id}/flow endpoint or enforce authentication for this route.
  • Implement input validation on the data payload to reject untrusted Python code before execution as a temporary mitigator.

Generated by OpenCVE AI on March 25, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vwmf-pq79-vjvx Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
History

Wed, 25 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:langflow:langflow:1.9.0:dev0:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev10:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev11:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev1:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev2:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev3:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev4:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev5:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev6:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev7:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev8:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev9:*:*:*:*:*:*

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-03-25T00:00:00+00:00', 'dueDate': '2026-04-08T00:00:00+00:00'}

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev0:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev10:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev11:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev1:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev2:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev3:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev4:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev5:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev6:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev7:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev8:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.9.0:dev9:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
References

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Vendors & Products Langflow
Langflow langflow

Fri, 20 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Title Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
Weaknesses CWE-306
CWE-94
CWE-95
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T03:55:24.750Z

Reserved: 2026-03-17T17:22:14.666Z

Link: CVE-2026-33017

cve-icon Vulnrichment

Updated: 2026-03-20T17:10:40.185Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T05:16:15.550

Modified: 2026-03-26T13:26:16.393

Link: CVE-2026-33017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:17Z

Weaknesses